[BreachExchange] Destructive Cyber Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 28 20:05:36 EDT 2017


http://www.itproportal.com/features/destructive-cyber-attacks/

Over that past twenty years, destructive cyber-attacks have increased
significantly, especially ones conducted by nation states. Given the level
of damage they cause, you might expect them to be carried out using a
sophisticated toolset. However, in most of the cases we have seen attacks
delivered using relatively unsophisticated tools. Often, we see basic
techniques used when delivering destructive malware, such as boot record
wipers. Even though these techniques are highly effective they are
relatively simple to code. More often it is the softer targets such as
civilians and private corporations who are targeted. Unfortunately, when
nation states leverage cyber-attacks, the private sector often pays the
price.

The general trend since 2010 has been the use of simple but destructive
malware, with the most recent example being NotPetya. This malware was
composed of a basic destructive module which was paired with a
sophisticated back-door. The offensive file was not overly sophisticated
nor did it contain innovative capabilities. We expect to see this trend
continue as threat actors become inspired by the lack of consequences for
running this type of attack.

The early days of destructive cyber attacks

Even as far back as the early 1980’s we were seeing destructive
cyber-attacks. One of the earliest was the Siberian pipeline hack where the
French government alerted the CIA that the Soviets had infiltrated some US
laboratories, factories and government agencies. The CIA had learned about
a software shopping list which the Russians needed to operate a natural gas
pipeline in western Ukraine, and fooled the Soviets into purchasing
software with built-in flaws. The software was used to operate pumps,
turbines and valves within the pipeline, but with the built-in flaws the
pumps, turbines and valves would malfunction at random times. This caused
the pressure within the pipeline to become too great for the joints to hold
and resulted in one of the worlds largest non-nuclear explosions.
Thankfully there were no casualties but part of the Trans-Siberian Pipeline
was vaporised as a result of the explosion.

There have been numerous destructive attacks since the 1982 Siberian
Pipeline explosion, the most recent being the infamous NotPetya ransomware
attack. The self-propagating malware infected approximately 25000 computers
with the aim of wiping their hard drives when the machines rebooted. These
kinds of destructive cyber attacks are often used by nation states for a
number of reasons such as, in retaliation to a previous action, to covertly
disrupt operations or simply to demonstrate annoyance. There is little
reason for nations to stop this behaviour as there is a comparative lack of
consequences.

Getting away with it

Governments are often unwilling to retaliate after a destructive
cyber-attack as they can escalate quickly and cross the line into physical
attacks. Because of this fear, governments can be unwilling or unable to
cut off parts of the internet to this type of attack. As such, we are
unlikely to see any governments with large offensive and defensive
capabilities push for a policy change. If the equivalent force were used in
the physical world there would be severe consequences, some nations are
failing to take cyber seriously. Because of the global reach a cyber attack
can have, governments are rushing to use these capabilities. Governments
are still attempting to understand cyber space and the real world effects
of cyber-attacks.

What the future holds

If we continue to allow these destructive cyber attacks to go unpunished,
we should expect to see nations experimenting with their attack
capabilities and honing their abilities to use them for numerous purposes.
It is likely that we will see an increase in attacks of low sophistication
in the coming years, with non-government institutions being useful targets
for advancing a hostile nations interests.

DDoS attacks are currently the most widely used tool for hacktivists.
However, with more destructive tools continuing to be used, our society is
becoming numb to reports of new cyber-attacks. For those criminals wanting
to develop their business model, launching larger and longer lasting
attacks combined with the ability to increase obfuscation will allow them
to move into the DDoS space.

Unfortunately, it doesn’t look as though we can rely on governments to stop
using their full cyber capabilities, and as such we will likely see an
increase in attacks from non-state actors with an increase in in arrests
and prosecutions. However, there have been a couple of ideas discussed to
help manage this situation, although there is a possibility that they will
only cause a more difficult environment for all involved.

Deterrence by denial is a phrase which we have been hearing increasingly
more often. This is only achievable if cyber security evolves to a state
where companies can implement defensive technologies which can truly rival
that of the attacker. Hacking back is another concept which gets discussed
every so often, and there is even a bill in the U.S. House of
Representatives which would allow this method to be used only within
limited boundaries. Unfortunately, policies and procedures are unlikely to
stop this growing threat. The criminals which distribute destructive cyber
attacks have significant motivations and resources and given enough time,
will be able to work through any combination of security technology.

Owning the battlefield

It is essential that businesses understand why they could be potential
targets to nation states as it will enable them to apply effective counter
measures. It is also important to remember that destructive cyber-attacks
are just a small subset of the overall threats which organisations face.

>From the moment, an attacker enters a network it is a race against the
clock for a security team to detect and prevent them from causing
destruction to the network and information. Currently, the time it takes
from breach to detection is measured in weeks if not months – this is far
too long. If we are to make a significant reduction in detection time we
need to use intelligence, hunting and active monitoring. We need to perfect
these technologies now if we are to successfully defend the private sector
against further destructive attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170928/fd66afbb/attachment.html>


More information about the BreachExchange mailing list